ISO 27001 & 22301 - Expert Advice Community

Templates content - RTO and RPO

Today we bought the toolkit BIA according to the  ISO 22301:2012 version of the standard. But, checking the document  I cannot identify the  (RTO and RPO)  values.
These values are very important for us because our customer is requesting as a part of the BIA report.
How can identify,  relating or include these values in the Excel questionnaire?

Templates and applicable controls

Corrective actions

I do have one more question about best practices for ISO 27001 implementation regarding corrective actions.

Let's assume the scenario:
 - We have implemented ISMS policy
 - During the internal audit, we have found out non-conformance to the policy in a specific area/control.
 
We can take three decisions based on known risks:

•  Register non-conformance and resolve it in short-term
•  Register exception to policy for 6-12 months
•  Modify policy since it was too strict

The option to address it in short therm is always the best, but I want to find out the best practices for long-term solutions (option 2).

Is it better to keep the non-conformance list or exception list and revalidate it every time?

SoA and supplier-related risks

I have the following question:

Company A rents virtual as well as complete servers from a hosting provider. On these severs a development company develops customized software for company A. The scope of the ISMS of company A covers the whole organization and therefore also the data and applications on the servers. Company A has no own software development.

Question: Regarding 14.2.5, 14.2.6, 14.2.8, 14.2.9, can company A exclude these controls in the SoA and only apply 14.2.7, as the responsibility/risk is contractually transferred to the development company and company A does not have any own software development? The risk assessment has shown some risks with regard to the development process on the servers, but this has been treated by contractually transferring the liability to the solution provider and applying chapter 15 controls. Contractually the development company is responsible for maintaining the security of the servers. What would be the best approach here?

Scenario based risk assessment

Justifications in the SoA

SoA > Can "Mandatory according to iSO27001 or GDPR" be a valid justification or does it have to be a specific risk?

Development Risk Assessment and Treatment Methodology

Adquiri o modelo de metodologia de avaliaçaõ e tratamento de riscos, ao desenvolver o documento vocês citam algumas referências como:

• Nome do cargo
• Cargo

Quem seriam essas pessoas???

(I acquired the risk assessment and treatment methodology model when developing the document you cite some references as:

• Job Name
• Position

Who would these people be?)

CCPA and ISO 27001 Lead Auditor

I have 30 years of experience in software development, Project Management and at Executive levels mostly in the US. I also have some recent experience in designing and implementing data privacy policies in a higher education institution in the US. If I pass ISO 270001 Lead Auditor Certification exam, will that help me in getting started as a Provisional or Internal Auditor for CCPA requirements? I would like to set up a time with you to discuss.

ISO 27001 certification

We are from the UK and found your excellent courses then this 27001Academy which claims we can do 27001 ourselves. However, we need to get the UKAS Accredited ISO27001 Certification which is the IAF NAB for the UK. How does this fit in with your DIY claim?

Annual Program for Internal Audits

In which document is my question: Annual Program for Internal Audits

Question:
I have a question about the last column of the table („Protocol to execute the audit“).
The comment on the column refers to the „Report on the internal audit “. When we talk about „Protocol“ in this column do we talk about the „Report“? Means is the „Protocol“ the „Report“?